Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Will Give You $10,000 To Hack Your Printer (zdnet.com)

Posted by msmash on from the modest-proposal dept.

hyperclocker shares a report: HP hopes to entice researchers with a $10,000 reward for finding vulnerabilities in printers. The tech giant revealed the new bug bounty program on Tuesday. The scheme, which is launching as a private bug bounty, is tailored specifically for HP printer hardware. While many of us use home printers simply for printing the occasional document or photo, in the enterprise, these devices are often found in a network. If there is a weak link in business networks, a single device -- whether it be a printer or smart air conditioning system -- can be exploited to compromise a wider network system.

Printers, especially if they are overlooked when it comes to firmware updates or upgrades, can become such avenues to exploit. According to research undertaken by Bugcrowd, "2018 State of Bug Bounty Report," endpoint devices are becoming a tantalizing target for threat actors, with a 21 percent increase in total endpoint bugs reported over the past 12 months. In partnership with bug bounty platform Bugcrowd, HP says it is the "only vendor" to launch a printer-only vulnerability disclosure scheme. Under the terms of the program, researchers can earn between $500 and $10,000 per legitimate find.

75 comments

  1. I hacked my last printer by DarkRookie · · Score: 2

    With a hammer.
    I think it was a HP one too.

    --
    The millennial that doesn't like most of the stuff designed for millennials.
    1. Re:I hacked my last printer by olsmeister · · Score: 2

      Damn it feels good to be a gangsta...

    2. Re:I hacked my last printer by Anonymous Coward · · Score: 0

      My last HP printer met a similar fate when it stopped working after only a year. #OfficeSpace

    3. Re:I hacked my last printer by reboot246 · · Score: 1

      I was thinking about hacking it with an ax, but I don't own an HP printer. Probably never will. Only Samsung (laser) and Canon (inkjet) for me!

    4. Re:I hacked my last printer by Anonymous Coward · · Score: 0

      actually the professional HP laser printers are very very good.. as long as its the models that have an ethernet interface and sensible running costs

    5. Re:I hacked my last printer by johnsie · · Score: 1

      Yeah, these folks are buying the cheapies and expecting them to work like professional printers. There's a reason for the massive price difference.

  2. $10K to cut off 3rd party ink hacks is good spendi by Joe_Dragon · · Score: 2

    $10K to cut off 3rd party ink hacks is good spending.

  3. HP Instant Ink by Anonymous Coward · · Score: 3, Insightful

    This is probably to "secure" HP Instant Ink, which monitors your printer so you can give an unlimited amount of money to HP, for ink refills.

    It's basically the renting models for printers, except you pay for the printer, pay for the ink, pay to be monitored, and pay either per page , or per month.

    The best part is, when the printer dies, you also get to pay for the recycling!

    HP can also help you, by automatically sending you relevant ads, on the printer you paid for, with the paper you paid for, with the ink you pay for, with the electricity you pay for, and you compensate HP for this by letting them have access to your printing data and network!

    1. Re:HP Instant Ink by Anonymous Coward · · Score: 1

      HP can also help you, by automatically sending you relevant ads, on the printer you paid for, with the paper you paid for, with the ink you pay for, with the electricity you pay for, and you compensate HP for this by letting them have access to your printing data and network!

      A friend has one of those HP ink jet scanner combos. It has a smartphone like touch screen display with ads all over it. Unbelievable.

  4. haha by Anonymous Coward · · Score: 0

    this s how fxping piracy was done in late 90's early 00's , seems its making a come back and they need help setting up honey pots again

    go fuck yourselves ....not helping

  5. Oh, not just any printer. by Anonymous Coward · · Score: 0

    Never mind.

    I had some HP printers once, a long time ago. They were such POS that I swore I'd never buy another. And I never have.

    Epson FTW.

    1. Re: Oh, not just any printer. by Anonymous Coward · · Score: 0

      Yeah, my shop left HP after support refused to modify printer firmware that was designed to meet EU power requirements. Poor sales rep was amazed they wouldn't budge on such a small issue (basically a longer timeout before full shutdown). He lost over 3 months of commission too.

    2. Re:Oh, not just any printer. by bobbied · · Score: 1

      Never mind.

      I had some HP printers once, a long time ago. They were such POS that I swore I'd never buy another. And I never have.

      I'm with you on this, except I have a Brother now. I gave up on HP when the "replacement" printer they sent me was a refurbished one that normally comes with a 90 day warranty. Well I had 5 months left and, you guessed it, the refurbished one broke too. When I called them, they tried to claim I only had a 90 day warranty and that had expired.... Well, to make a really long story involving phone trees, cussing and legal threats short, they sent me a second refurbished printer, which died just after the 1 year mark (when my original warranty expired). I couldn't dump that thing fast enough.. The good thing though is they kept sending new ink supplies in all those printers, so I only had to buy one set.

      Never again, I will never own an HP anything unless it's given to me.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Oh, not just any printer. by Anonymous Coward · · Score: 0

      Epson sucks. They have built in termination after you print so many pages. They claim it's due to the $0.02 ink pads becoming saturated with ink, but their printers will cease to function regardless of how dirty the ink pad actually is. They also won't let you simply clean or replace the pad, you have to buy a whole new printer.

      Fuck that scummy shit.

  6. Linux drivers by Anonymous Coward · · Score: 0

    Gee, I'd love to help you here, HP, but since none of your currently manufactured printers work with linux, I guess I'll have to pass.

    1. Re:Linux drivers by xxxJonBoyxxx · · Score: 1

      >> none of your currently manufactured printers work with linux

      They don't work that great with Windows either, natch.

    2. Re:Linux drivers by Opportunist · · Score: 1

      Don't feel so special, the main difference between you and a Windows user is that you didn't waste half a day trying to install the drivers, and another half day trying to undo the damage they did to your system.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Secure ink prices by Anonymous Coward · · Score: 0

    Redeemable as 2.5 cups -- 3 gallons of printer ink.

  8. Wow by lookthetripodtop · · Score: 1

    Wow this is a lot.

  9. Yellow dots by Dracos · · Score: 1

    Does removing the yellow dots that identify which printer a document came out of count?

    1. Re:Yellow dots by Trax3001BBS · · Score: 1

      Does removing the yellow dots that identify which printer a document came out of count?

      My first thought. This can be used to identify a person of a company to exploit.

  10. i have to hack mine every day by captbollocks · · Score: 1

    So my computer or iphone can find it. My HP printer is a shit printer.

  11. Prevent their spy printers from printing id codes by Anonymous Coward · · Score: 0

    Besides hacking off the yellow ink bin. What is this the Soviet Union?

  12. I should submit a bug for my LaserJet II by kalpol · · Score: 1

    I miss my old LaserJets. They were like an ox: slow, hot, and reliable over long distances.

    --
    12:50 - press return.
  13. How about paying someone to work on that? by Anonymous Coward · · Score: 0

    Do they think a lottery inspires more confidence? $10000 is peanuts, and it's up to $10000, but maybe only $500.

  14. Epson by Tsolias · · Score: 1

    Ecotank.

  15. Easy by FFOMelchior · · Score: 3, Funny

    Hacked mine to say my name. Please send my 10k.

    Sincerely,
    -Paul Christopher Loadletter

    1. Re:Easy by Tsolias · · Score: 1

      I thought it was "); DROP DATABASE USERS;

      I am not yelling you stupid filter, I am writing sql.

    2. Re:Easy by originalGMC · · Score: 1

      good old bobby tables

  16. Re:$10K to cut off 3rd party ink hacks is good spe by Anonymous Coward · · Score: 0

    Well hey, Canon has telemetry in their printers and Epson has built-in end-of-life in theirs. I'm not sure about HP, Samsung or Brother printers. I do know that my Okidata doesn't have any of that crap.

  17. Re:$10K to cut off 3rd party ink hacks is good spe by Archangel+Michael · · Score: 1

    I don't think this is the case. It is more like $10K to show how woefully inadequate printer security is, so you have to buy a whole new printer that is up to last years standards, that are already obsolete.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  18. Would never use a HP by nospam007 · · Score: 3, Funny

    I remember fondly a long time ago, when one employee brought his private first HP color printer to his office and installed it on his machine.

    The install process replaced the print queue and it began immediately checking the company network for all printers that might be out of paper or ink, all over the world, from the US, to Europe, India and Japan.
    After an hour it had consumed all the bandwidth available polling 10-15000 printers and the network broke down.

    It was fun working IT those days.

    1. Re:Would never use a HP by Anonymous Coward · · Score: 0

      I know this is Slashdot, so I shouldn't take this too seriously...or was that 4chan?
      Anyway, I'm going to let the joke fly over my head and suggest that your company's network design was more to blame than the printer or its clueless owner.

      Assuming 5 people per printer (generous!), you worked at a company with at least 50,000 people. Seems like a large enough place that they should have been able to afford a better network design. Also, a better, well, everything.

      Back on topic, I inherited a Laserjet B&W printer from my grandfather. I don't use it often, but it couldn't have been a simpler install on my Fedora machine. The flatbed scanner, on the other hand, could have been simpler. Thanks, Epson.

    2. Re:Would never use a HP by nospam007 · · Score: 1

      "Anyway, I'm going to let the joke fly over my head and suggest that your company's network design was more to blame than the printer or its clueless owner."

      You were not born yet, or we would have hired you then.

  19. using off-brand ink cartridges by Anonymous Coward · · Score: 0

    requires hacks

  20. Not my printer by drinkypoo · · Score: 1

    My printer is a lj2300 with a jetdirect card which has well-known vulnerabilities which hp has decided not to fix. This is just pretense at caring about security, they don't actually give one shit.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Not my printer by Anonymous Coward · · Score: 0

      Did they offer some kind of refund? - if they didn't, then yeah, doesn't seem like they give a damn.

      Anyway, once they announce that it has known vulnerabilities, and no longer produce or sell the unit, the user should not use it if the vulnerabilities can be exploited. Printers are just too cheap for that.

      Although, if it's a wireless vulnerability, and you're living way out in the countryside, odds are good that no one will ever exploit it.

    2. Re:Not my printer by drinkypoo · · Score: 1

      It's actually wired vulnerabilities, but still lame. Odds are I will end up recycling it anyway because it has multiple feed problems and I just don't print much any more and can't justify the space it takes up, let alone the time to troubleshoot.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  21. Piss Off HP by Anonymous Coward · · Score: 0

    Maybe I "want" to hack my printer, without having HP screw it up.

  22. HP software is actual malware by Anonymous Coward · · Score: 0

    There is not enough mass in my body to hold the hate HP devices have grown in me, is like a black hole of suck... It has made my work day a continuous bottleneck.

  23. How can you even tell? by Sarusa · · Score: 1

    How can you even tell if your printer has been hacked or whether it's just HP's amazingly crappy drivers, software, and firmware?

    We've got two at work that are constantly breaking on their own. They'll mysteriously go to sleep and never wake up (yes, we disabled going to sleep). They'll stop responding and need to be hard power cycled by yanking the cord. The software is an astoundingly giant pile of crap (about a gig worth) that doesn't seem to do anything useful except burn 20% cpu. I know how to drop the software and keep just the drivers, but most people here don't. And then if you've just got the drivers it occasionally nags you about 'finishing the installation' by installing the rest of their crapware. The ink tanks are smaller than the bladder of an 80 yo man with prostate issues.

    I just use the Canon laser printer. That thing is rock solid and it runs fine with just the drivers. But being unofficially the guy who knows computers I keep getting drawn in with those f@#$ing HPs. If I had my way we'd run over them with a truck and replace them with Brother laser printers. That's the ultimate HP lifehack.

  24. security holes are the least of their worries by Anonymous Coward · · Score: 0

    Never mind hunting out vulnerabilities, pay people to get the bloody hp printers to work reliably.

  25. Anyone stil using HP printers? by ukoda · · Score: 1

    I stopped buying HP printers when they stopped supporting Linux properly. I stopped recommending them when the introduced region locked protection on consumables. Given their anti-user policies does anyone still use them as the benchmark for a good printer like they used to be a decade ago? For me HP printers are just a sad footnote in history of a company who once understood their customers, then lost the plot just to keep bean counters happy.

    1. Re:Anyone stil using HP printers? by BrianMarshall · · Score: 1

      On Fedora, I have been using HP All-in-One printer/fax/copier/scanners that cost less than $100. They tend to last for a few/several years. I don't do wireless; it is plugged into a USB port.

      I just have to ensure I include the required packages and it just works...

      hplip hplip-common hplip-libs libsane-hpaio sane-backends-drivers-scanners xsane

      --
      "When the going gets weird, the weird turn pro" -- HST
    2. Re:Anyone stil using HP printers? by Anonymous Coward · · Score: 0

      I stopped buying HP printers when they stopped supporting Linux properly.

      What's wrong with their support? HP Linux imaging and printing

      A few years back I selected HP just because of their good Linux support.
      I had tried to make a Canon all-in-one to work with my system before that - it had no official support at all, only community hacks.

  26. Vulnerability found... "Inkjets" by Anonymous Coward · · Score: 0

    People who buy Inkjets are 100% vulnerable to being ripped off for being fucking idiots. Send my check to the "Help make murika smart again" charity.

  27. stuxnet anyone? by originalGMC · · Score: 1

    or maybe just play with the IIS a little on HP's shitty web server.

  28. Sheeet.... by Type44Q · · Score: 1

    "Sheeet, ain't much point in hacking your printer unless it lets you print out your own ten grand."

    -above-average intelligence Texan/genius-level Okie

  29. Only one question by Anonymous Coward · · Score: 0

    What's a Printer?

    Is that like a CD or Palm Pilot? Just wondering.

  30. The $10,000 is payable in... by bobbied · · Score: 1

    Print cartridges (remanufactured) and photo paper for your printer. Enough for 500 pages.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  31. You can keep the $10,000 by Anonymous Coward · · Score: 0

    Just give me free ink for life.

    Captcha: "illegal". It's like Slashdot has AI...

    1. Re:You can keep the $10,000 by Opportunist · · Score: 1

      Now, now, don't get greedy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  32. Really Easy by Anonymous Coward · · Score: 0

    My HP Laserjet 5si with a JetDirect card has telnet and ftp wide open without authentication. Pay up HP.

  33. Why bother? by Opportunist · · Score: 1

    The average HP printer goes dead after no longer than a year anyway. It's futile task to try to hack them, by the time you're done, it probably croaks anyway.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Why bother? by Anonymous Coward · · Score: 0

      The average HP printer goes dead after no longer than a year anyway. It's futile task to try to hack them, by the time you're done, it probably croaks anyway.

      That's not even close to my experience with enterprise HP laser printers.

      Back when HP actually had an engineering department and was a reputable company (in a good way), their laser printers were built like tanks to last forever, and their print servers were the gold standard.
      It truly is sad what HP has become these days if you experienced them in the past.

      At work we have 17 HP laser printers, the *newest* of those was purchased in December 2015, and the *oldest* ones in 2008.

      At home I still have an HP laserjet 4mv+ which was originally released in 1994, and the one I bought was only a couple years after that (I bought it used)

      This 22+ year old printer still works, and the only reason I no longer actively use it is because toner cartridges are no longer made, and refurbished ones just broke the $100 price point about 3 or so years ago.

      Back when I actually printed a lot, those toner cartridges would still last over a year easily, and even when my printing went down to a small handful of times per year those toner carts would seemingly last forever.

  34. Remembering the old ones by BrianMarshall · · Score: 1

    Does anyone remember HP pen plotters in the '80s with "Hewlett Packard Grit Wheel Paper-Moving Technology"(TM)?

    --
    "When the going gets weird, the weird turn pro" -- HST
    1. Re:Remembering the old ones by IWantMoreSpamPlease · · Score: 1

      Always wanted a pen plotter back then.
      Now, I don't think the ports, drivers, or the ink pens still exist...

      --
      So rise up, all ye lost ones, as one, we'll claw the clouds.
  35. Hack them to take 3rd party toner/ink/page counts by Anonymous Coward · · Score: 0

    Those are the only hacks that are worth it for consumers. Don't lift a finger to help HP do their own security and product R&D unless they pay you.

    Still bitter after my Samsung color laser got stealth upgraded after HP bought the product line.. I had a full set of 3rd-party toner carts that were working *perfectly* until the software made the printer go full-on a$$hole and reject them. Now I have to pay over $400 for toner refills. I'd be better off printing my pages with gold dust at those rates.

  36. What is the bounty by Anonymous Coward · · Score: 0

    for just getting the printer to work?

  37. Not about their Desktop Range by blackpaw · · Score: 1

    This is in regards to their Multifunction Enterprise copiers (Futuresmart 4). They run embedded linux, export a SOAP sdk for remote coding, embedded applications and authentication.

  38. A Large Target to Hack, Too by that+this+is+not+und · · Score: 0

    The last time I downloaded a Laserjet Windows Driver, I think it was about a 350MB payload.

    That's a lot of printer driver. Surely there must be tons of exploits and badly written code in that big of a turd.

  39. Provide Firmware by Anonymous Coward · · Score: 0

    HP provide all the firmware ever made!

    I picked up a second hand HP LaserJet 4700dn from 2007. The firmware is so old that I can't update it because the HP website has firmware that is too new that it the printer wont accept it.

    Trying to browse the HT website and FTP, even the web archive and FTP search crawlers found nothing.

    Other than that once I replaced the transfer kit and added an old 512MB RAM stick from a retied laptop it has been great.

    1. Re:Provide Firmware by Anonymous Coward · · Score: 0

      OP Here

      Nevermind, tried the upload to printers FTP method instead of the web interface and it worked.

  40. Epson doesn't need to be hacked by Antiocheian · · Score: 1

    Don't waste time and money with HP. Get an Epson EcoTank instead and, if you're planning to use it for a very long time, invest in a waste pad replacement or a bladder.

  41. Dangles $10K reward, gives $500 by greylion3 · · Score: 1

    Nice - offers $10K reward, then probably only pays $500 when a serious vulnerability is found.

    This is somewhat similar to the "please fill out this 10-page survey, and you have the chance to win $20K!", except that no one ever wins anything.

    --
    Privacy begins with ..
  42. Does this count? by Anonymous Coward · · Score: 0

    In my office building my phone shows an HP printer for a WIFI AP....

    A friend of mine used the folowing tactic to persuade the owner to turn WIFI off: He printed a warning: your WIFI is on, anybody can use your toner and paper. First once a day, then more often...

  43. Re:$10K to cut off 3rd party ink hacks is good spe by Anonymous Coward · · Score: 0

    I wouldn't say that, HP has put out driver updates that update the firmware on the LaserJet models to require signed firmware updates if they didn't require it already. My guess is people were bypassing the page count limit per toner cartridge restriction, but it could have also been the yellow dots identification mechanism being bypassed that they wanted to protect.

    This just makes it easier for them to lock it down further, by patching exploits that could get around their restrictions.

  44. documentation by e70838 · · Score: 1

    I have a HP Officejet Pro 7612. I have little experience in hacking (I have almost finished stripe CTF 2), but I have not found much documentation abour my printer. I am interested in trying to hack my printer, at least to know better all it can do. Do you have links to doc or code?

    1. Re:documentation by johnsie · · Score: 1

      Try the HP website, or Google it.

  45. Re:$10K to cut off 3rd party ink hacks is good spe by thegarbz · · Score: 1

    Interestingly the last HP advert I saw about printers directly talked about security risks that are network attached printers. It seems HP may be the only company that is at least giving this space some thought.

    Not that I think they have coders capable of making secure printers, but they are giving it some thought.

  46. do the bugs really matter by bonedonut · · Score: 1

    when the hardware is garbage?

  47. Nice try! by Anonymous Coward · · Score: 0

    They are just trying to get us to buy hp printers to hack.

  48. 10K? That's almos enough for a legit ink refill! by wardrich86 · · Score: 1

    Wow, I could almost afford to do a full first-party ink cartridge replacement with that kind of money! What a fucking scumbag company... the printer market needs to shoot itself in the foot already.

  49. Opposite is true for me... by dfenstrate · · Score: 1

    $10K to cut off 3rd party ink hacks is good spending.

    I picked up an HP office jet 476dx and I bought 3rd party inks.... and the printer gave some generic error and refused to use the cartridges.
    Then I updated the firmware to HP's latest, and I could use the inks.
    The point is that they shipped a printer that couldn't use third party inks, and then were guilted or otherwise moved to update the firmware to allow them. The printer now works fine with 3rd party inks that cost 1/4 what HP charges, and I only have to tolerate the printer bitching a bit when I replace a cartridge ('You really should use HP inks, never know about this third party stuff.')
    I'd say that's good enough.

    --
    Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
  50. brings back memories by PJ6 · · Score: 1

    Back in the day, there was no printer security to speak of, and we had HP printers available all over the WAN. I got bored one day so I set their default messages to perplexing things such as "INSERT COIN", or "OUT OF CHOCOLATE". This was when most people were still afraid of the arrival of computers in the workplace - credulous, nearly to a man - so the effect was very satisfying.

    And I also wrote a program to simulate a dirty mouse (back when they had balls). Gave it to one of the IT guys and we heard the lady in shipping and receiving beating the shit out of it on her desk, and he ran over to stop her but we were both laughing until we had tears.

    Man, those were the days.